KU told to step up computer security

Report calls for more written policies to ensure procedures followed

Topeka  Kansas University should have more written policies governing computer security and an expanded role for its information technology security officer.

Those were among the recommendations of a report made public Monday by the Legislative Division of Post-Audit. Auditors were examining information technology security at KU, Kansas State University and Emporia State University.

Marilu Goodyear, vice provost for information services for KU, said the university already was working to correct many of the problems cited in the report.

Large portions of the report, presented Monday to the Post-Audit Committee, were deemed confidential because they involved security deficiencies and were released and discussed only in executive session.

Auditors said KU had several areas where procedures were adequate but there were no written policies to go along with those practices. Those included changing default passwords on new computers, backing up data on a regular basis and performing regular security awareness training on campus.

"The lack of written policies increases the risk that intended procedures won't be followed," the auditors wrote. "When computer security policies aren't written, people tend to make up their own ways of doing things, or don't do anything at all. It takes only one 'hole' in an organization's computer security for its data to be compromised."

KU officials know too well about that. They've had high-profile security breaches three times in the past 27 months: in January 2003, when hackers gained access to personal information on 1,450 international students; in April 2004, when hackers compromised a server containing medical information on past patients at Watkins Health Center; and in November 2004, when hackers gained access to employee and medical data contained at the Life Span Institute site in Parsons.

Kansas University engineering students use the Self Computing Lab
in Eaton Hall on Monday. A report released on computer security at
KU calls for more written procedures about its policies.

Another proposal made public Monday was the need for Chuck Crawford, IT security officer, to report directly to Goodyear instead of to Donna Liss, assistant vice provost for information services. Auditors said the lower ranking might cause "others (to) challenge his authority."

Goodyear said she disagreed with that recommendation, saying Crawford could deal with Liss on matters of security and with herself on matters such as reporting incidences to others on campus.